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This paper characterises the coarsest refinement preorders on labelled transition systems that are 
precongruences for renaming and partially synchronous interleaving operators, and respect all safety, 
p^j liveness, and conditional liveness properties, respectively. 

1 Introduction 

O. 

The goal of this paper is to define and characterise certain semantic equivalences = and refinement 
preorders C on processes. The idea is that p = q says, essentially, that for practical purposes processes 
p and q are equally suitable, i.e. one can be replaced for by the other without untoward side effects. 
Likewise, p Qq says that for all practical purposes under consideration, q is at least as suitable as p, i.e. 
it will never harm to replace p by q. Thus, one should have that p = q iff both pCg and q C p. 

Naturally, the choice of = and C depends on how one models a process, and what range of practical 
purposes one considers. I this paper I restrict myself to one of the most basic process models: labelled 
transition systems. I study processes that merely perform actions a, b, c, . .. which themselves are not 
subject to further investigations. These actions may be instantaneous or durational, but they may not last 
forever; moreover, in a finite amount of time only finitely many actions can be carried out. I distinguish 

!ys , between visible actions, that can be observed by the environment of a process, and whose occurrence can 

be influenced by this environment, and invisible actions, that cannot be observed of influenced. Since 

Q ■ there is no need to distinguish different invisible actions, I can just as well consider all of them to be 

occurrences of the same invisible action, which is traditionally called x. Furthermore, I abstract from 
real-time and probabilistic aspects of processes. 

This choice of process model already rules out many practical purposes for which one process could 

S^ be more suitable than another. I can for instance not compare processes on speed, since this is an issue 

that my process model has already abstracted from. In fact, the only aspects of processes that are captured 
by such a model and that may matter in practical applications, are the sequences of actions that a process 
may perform in a, possibly infinite, run, performed in, or in collaboration with, a certain environment. 
As the invisible action is by definition unobservable, it moreover suffices to consider sequences of visible 
actions. A sequence of visible actions that a process p may perform is called a trace of p; it is a complete 
trace if it is performed during a maximal run of p, one that cannot be further extended. Obviously, the 
traces of p are completely determined by the complete traces of p, namely as their prefixes. 

Based on the considerations above, it is tempting to postulate that the relevant behaviour of a pro- 
cess, as far as discernible in terms of labelled transition systems, is completely determined by its set 
of complete traces; hence two processes should be equivalent if they have the same competed traces. 
However, this argument bypasses the role of the environment in influencing the behaviour of a process. 
Often, one allows the actions a process performs to be synchronisations with the environment, and the 
environment can influence the course of action of a process by synchronising with some actions but not 
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with others. Therefore, a safe over-approximation of the relevant behaviour of a process is not merely its 
set of complete traces, but rather its set of complete traces obtained as a function of the environment the 
process is running in. 

In this paper I consider a neutral environment in which all courses of action are possible and the 
behaviour of a process is indeed determined by its complete traces. All other ways in which the environ- 
ment may influence the behaviour of a process are given in terms of contexts build from other processes 
and certain composition operators. It could for instance be that in the neutral environment there is no 
way to tell the difference between processes p and q; maybe because they have the same set of complete 
traces. However, for a suitable parallel composition operator || and other process r it may be that there 
is a manifest practical difference between p\\r and q\\r, so that one has p\\r ^ q\\r. Now that fact alone 
is taken to be enough reason to postulate that p ^ q. Namely the difference between p and q can be 
spotted by placing them in a context _||r. This context can be regarded as an environment in which the 
behaviours of p and q differ. 

Following this programme, a suitable semantic equivalence on processes is defined in terms of two 
requirements. First of all the behaviour of processes is compared in the neutral environment. This entails 
isolating a class ^ of properties (p of processes that are deemed relevant in a given range of applications. 
One then requires for p = q to hold that p and q have the same properties from this class: 

p = q => V(pE^. (p \= q> & q \= q>) (1) 

where p (= <p denotes that process p has the property (p. An equivalence = that satisfies this last require- 
ment is said to respect or preserve the properties in % '. The second requirement entails selecting a class 
G of useful operators for combining processes. One then requires that for any context C[_] (such as _||r) 
built from operators from G and arbitrary processes, that 

p = q => C[p\=C[q). (2) 

An equivalence = that satisfies this last requirement is called a congruence for G. For the sake of intuition 
it may help to consider the contrapositive formulation of these implications: if there exists a property <p 
in ^ that holds for p but not for q, or vice versa, then p and q cannot be considered equivalent. Likewise 
C[p] =£ C[q] implies p^q. 

These two requirements merely insist that the desired equivalence = does not identify processes that 
in some context differ on their relevant properties. They are satisfied by many equivalence relations, 
including the identity relation, that distinguishes all processes. In order to characterise precisely when 
two systems have the same relevant properties in any relevant context, one takes the coarsest equivalence 
satisfying £T|) and (fJJ); the one making the most identifications. This equivalence is called fully abstract 
w.r.t. ^ and G. It always exists, and, as is straightforward to check, is characterised by 

p = q ^ V^-contextCy.VpeT. (C\p] \=(p&C[q] \=q>). 

When, for a certain application, the choice of ff and G is clear, the unique equivalence relation that 
is fully abstract w.r.t. c € and G is the right semantic equivalence for that application. However, when 
the choice of *€ and G is not clear, or when proving results that may be re-used in future applications 
that may call for extending ^ or G, it is better to err on the side of caution, and use equivalences that 
satisfy £T|) and (O but need not be fully abstract; instead the finest equivalence =fi ne for which a result 
P =fine q can be proved is often preferable, because this immediately entails that p = q for any coarser 
equivalence relation =, in particular for an = that may turn out to be fully abstract for some future choice 
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of tf and & . It is for this reason that much actual verification work employes the finest equivalences that 
lend themselves for verification purposes, such as the various variants of bisimulation equivalence lfl2l . 
see e.g. (Tj. Nevertheless, this paper is devoted to the characterisation of fully abstract equivalences, and 
preorders, for a few suitable choices of *$ and G. 

The programme for refinement preorders proceeds along the same lines, but here it is important to 
distinguish between good and bad properties of processes. The counterpart of £T|) is 

P E q => V<p e ( S. (p (= <p =4> q (= <p) (3) 

where <S is the set of good properties within 'rf , those that for some applications may be required of a 
process. If this holds, C. respects or preserves the properties in <S . When dealing with bad properties, 
those that in some applications should be avoided, the implication between p \= (p and q \= (p is oriented 
in the other direction. Since every bad property (p can be reformulated as a good property -i<p, there is 
no specific need add a variant of ([3]> for the bad properties. The counterpart of (121) is simply 

pQq => C[p]QC[q}. (4) 

and a preorder C that satisfies this requirement is called a precongruence for ff. Now the preorder that 
is fully abstract w.r.t. ^ and always exists, and is characterised by 

pQq & V<^-context C[_].V<peSf. (C\p\ ^cp^C[q] \=q>). 

It is the coarsest precongruence for that respects the properties in 'S '. A characterisation of the preorder 
C that is fully abstract w.r.t. a certain §f and & automatically yields a characterisation of the equivalence 
= that is fully abstract w.r.t. <S and 0, as one has p = q iff both pQq AqlZ p. 

In this paper I will propose three main candidates for the set W of good properties: safety properties 
in Section |3l liveness properties in Section |4] and conditional liveness properties in Section [5J For the 
sake of theoretical completeness I moreover address general linear time properties in Section [6l 

In Section [2] I will define my model of labelled transition systems and propose a class of ^ of 
operators that appear useful in applications to combine processes. My favourite selection contains 

• the partially synchronous interleaving operator of CSP [15], 

• abstraction or concealment (3] [T5J 

• and the state operator (2), 

or any other basis that is equally expressive. With each of the four choices for <S this set of operators 
determines a fully abstract preorder, which will be characterised in Sections[3l|4l[5]and[6] It turns out that 
the resulting preorders are somewhat robust under the precise choice of operators for which one imposes 
a precongruence requirement: the same ones are obtained already without using concealment, and using 
merely injective renaming instead of the more general state operator. In the other direction, I could just 
as well have used all operators of CSP. 

2 Labelled Transition Systems and a Selection of Composition Operators 

Let £* denote the set of finite sequences over a given set E, and £°° the set of infinite ones; Z" := E* UE°°. 
Write £ for the empty sequence, op for the concatenation of sequences a G £* and p G L w , and a 
for the sequence consisting of the single symbol a6l. Write a < p for "a is a prefix of p", i.e. 
"p = o\/3v <E L*. ov = p", and p < a for "a < p and a / p". 

I presuppose an infinite action alphabet A, not containing the silent action T, and set A t = A U {t}. 
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Definition 1 A labelled transition system (LTS) is a pair (P,— >), where P is a class of processes or 
states and — >■ C P x A x x P is a set of transitions, such that for each p£P and a G A t the class 
{g G P | (p,a,q) G — ^} is a set. 

Assuming a fixed transition system (P, — >), I write p -^-> g for (p, a,g) G — )•; this means that process p 
can evolve into process q, while performing the action a. The ternary relation =^4> C P x A* x P is the 
least relation satisfying 

e /> — > <7 P — >q, a^T p => ^ => r 

p =>• P , ^ , : and — 



op 
P^q P^q p^r 

This enables a formalisation of the concepts of traces and complete traces from the introduction. 

Definition 2 Let p G P. 

• p is deterministic if, for any a G A*, p => q\ and p =^> q 2 implies that q\ = q 2 and q\ -/-> r. 

• p deadlocks, notation p -/i, if there are no a G A T and q G P such that p -^-> q. 

• pis locked if it can never do a visible action, i.e. if p =^ q for no a G A and ggP. 

• p diverges, notation p f|\ if there are pt G P for all i > such that p — ^ pi — ► p2 — -> 

• a\a 2 a-} • • • G A°° is an infinite trace of /? if there are pi, pi, ■ ■ ■ G P such that p ^=^> pi ^=> p2 =^> • • •• 

• inf(p) denotes the set of infinite traces of p. 

• ptraces(p) := {a G A* | 3q. p =^> q} is the set of partial traces of p. 

• traces(p) := inf(p) Uptraces(p) is the set of traces of p. 

• deadlocks (p) := {o £A* \3q. p =^>- ^ 7^} is the set of deadlock traces of p. 

• divergences (p) := {a &A* \ 3q. p =^> q -ft-} is the set of divergence traces of p. 

• CT{p) := inf(p) U divergences (p) U deadlocks (p) is the set of complete traces of p. 

Note that traces (p) = {a G A ffl | 3p G CT(p). a < p}. 

To justify that CT(p) is indeed a correct formalisation of the set of complete traces of p, I postulate 
that in a neutral environment, if a process p G P has any outgoing transition p -^4- q, then within a finite 
amount of time it will do one its outgoing transitions. This is called a progress property; it says that a 
process will continue to make progress if possible. 

As explained in the introduction, whether a fully abstract equivalence identifies processes p and q 
may depend on the existence of a third process r such that p\\r can be distinguished from q\\r. When 
restricting attention to a particular labelled transition system (P,— >) it might happen that a perfectly 
reasonable candidate r happens not to be a member of P, and thus that the conclusion p = q is arrived 
at solely as a result underpopulation of P. To obtain the most robust notions of equivalence, I therefore 
assume my LTS to be universal, in the sense that up to isomorphism it contains any process one can 
imagine. 

Definition 3 An LTS (P, — »p) is universal if for any other LTS (Q, —>•<£}) there exists an injective map- 
ping / : Q — > P, called an embedding, such that, for any q G Q and p' G P one has f(q) -^-7-p p' iff 
p' G P has the form f{q') for some q' G Q with q -^*<q <?'■ 

The existence of a universal LTS has been established in [7]. Here one needs P to be a proper class. 
All preorders C that I consider in this paper are defined on arbitrary LTSs and have the property that 
q^q' <^ f(p) E /(<?')> f° r an y embedding /. This means that they are precongruences for isomorphism, 
and only take into account the future behaviour of processes, i.e. in determining whether p C q transitions 
leading to p or q play no role. Thus, a definition of such a preorder on a universal LTS, implicitly also 
defines it on any other LTS. 
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Table 1 : Partially synchronous interleaving, abstraction, and the state operator 



I will now do a proposal for the set & that will be my default choice in this paper. It consists of three 
operators for combining processes that appear useful in practical applications. 

The first is the partially synchronous interleaving operator of CSP [15]. It is parametrised with a set 
5 C A of visible actions on which it synchronises: the composition p\\ s q can perform an action from S 
only when both p and q perform it. All other actions from p and q are interleaved: whenever one of the 
two components can perform such an action, so can the composition, while the other component doesn't 
change its state. Formally, for any choice of S C A, \\ s : F x F — > P is a binary operator on F such that 
a process p\\ s q can make an a-transition iff this can be inferred by the first three rules of Table \T\ from 
the transitions that p and q can make. Here a ranges over A and a over A T . 

A context —\\ s r is widely regarded as a plausible way of modelling an environment that partially 
synchronises with processes under investigation. It is for this reason I include it in 6. This argument 
does not hold for many other process algebraic operators, such as the choice operator + of CCS |[T2| . 
This is an example of an operator that is useful for describing particular processes, but a context _ + r 
does not really model a reasonable environment in which one wants to run processes under investigation. 
For reasons of algebraic convenience, being a precongruence for the + is an optional desideratum of 
refinement preorders, but it is not such an overriding requirement as being a precongruence for || s . 

The second operator nominated for membership of & is the unary abstraction operator T 7 of ACP T 
(3), also known as the concealment operator of CSP |@l[T5l. This operator models a change in the 
level of abstraction at which processes are regarded, by reclassifying visible actions as hidden ones. It 
is parametrised with the set / C A of visible actions that one chooses to abstract from, and formally 
defined by the next two rules of Table [Q Abstraction from internal actions by such a mechanism is an 
essential part of most work on verification in a process algebraic setting, and a context T 7 (_) represents 
a reasonable environment in which to evaluate processes. 

My final nominee for the set 0" of useful composition operators is the state operator Xf of (H. 
This unary operator formalises an interface between a process and its environment that is able to rename 
actions: if its argument process performs an action b, the interface A"'(_) may pass on this action to 
the environment as c, thereby opening up the possibility of synchronisation with another occurrence of 
c when using a composed context A s m (_)|| s r. Furthermore, the interface may remember the actions that 
have been performed to far, and make its renaming behaviour dependent on this history. For instance, if 
its argument p performs two a-actions in a row, X' s n (p) may pass these on to the environment as a\ and 
a 2 , respectively. 

The state operator Xf is parametrised with an interface specification m = {S? , ACTION, effect), 
consisting of set y of internal states, and functions ACTION : 5? xA^-A and EFFECT : y x A — >• y, as 
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well as a current state s S y. Here ACTION is a function that renames actions performed by an argument 
process p into actions performed by the interface X™ (p) ; the renaming depends on the internal state of 
the state operator, and thus is of type 5? x A — >• A. EFFECT specifies the transformation of one internal 
state of the state operator into another, as triggered by the the encounter of an action of its argument 
process; it thus is of type YxA^ 5? . Traditionally, one writes a(m,s) for ACTlON(s,a) and s(m,a) for 
EFFECT (s,a). So a(m,s) denotes the action a, as modified by the interface m in state s, whereas s(m,a) 
denotes the internal state s, as modified by the occurrence of action a of the argument process within the 
scope of the interface m. With this notation, the formal definition of the state operator is given by the last 
two rules of Table [Q 

The special case of a state operator with a singleton set of internal states is known as a renaming 
operator. Renaming operators occur in the languages CCS [12] and CSP H [15]. Here I denote a 
renaming operator as X" 1 , where the redundant subscript s is omitted, and m trivialises to a function 
ACTION : A — > A. I speak of an injective renaming operator if ACTlON(a) = ACTION(^) implies a = b. 
For any injective renaming operator X m there exists an inverse renaming operator X~ m (not necessarily 
injective) such that for all p € P, the process X~ m (X"'(p)) behaves exactly the same as p — they are 
equivalent under all notions of equivalence considered in this paper. 

3 Safety Properties 

A safety property J9] is a property that says that 

something bad will never happen. 

To formulate a canonical safety property, assume that my alphabet of visible actions contains one specific 
action b, whose occurrence is bad. The canonical safety property now says that b will never happen. 

Definition 4 A process p satisfies the canonical safety property, notation p \= safety (b), if no trace of p 
contains the action b. 

To arrive at a general concept of safety property for labelled transition systems, assume that some notion 
of bad is defined. Now, to judge whether a process p satisfies this safety property, one should judge 
whether p can reach a state in which one would say that something bad had happened. But all observable 
behaviour of p that is recorded in a labelled transition system until one comes to such a verdict, is the 
sequence of visible actions performed until that point. Thus the safety property is completely determined 
by the set sequences of visible actions that, when performed by p, lead to such a judgement. Therefore 
one can just as well define the concept of a safety property in terms of such a set. 

Definition 5 A safety property of processes in an LTS is given by a set B C A*. A process p satisfies this 
safety property, notation p \= safety (B), when ptraces(p) DB = 0. 

This formalisation of safety properties is essentially the same as the one in [9] and all subsequent work 
on safety properties; the only, non-essential, difference is that I work with transition systems in which the 
transitions are labelled, whereas [9] and most related work deals with state-labelled transition systems. 

A property is called trivial if it either always holds or always fails. Trivial properties are respected 
by any equivalence. The set B := and all sets B with e G B specify trivial safety properties. 

Theorem 1 A precongruence for the state operator respects every safety property iff it respects the 
canonical safety property. 
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Proof: "Only if" follows because the canonical safety property is in fact a safety property, namely the 
one with B being the set of those sequences that contain the action b. 

"If': I use here a state operator that remembers exactly what sequence of actions has occurred so far. 
Thus the set of internal states of its interface specification mis A*, and furthermore o(m,a) := oa for all 
a € A* and a € A. Now given a safety property B C A*, let b G A be the special "bad" action, and d G A 

be a different "neutral" action. Define a (m, o) := < , 

[ a otherwise. 

Then X™(p) (= safety (b) iff p (= safety (B). Thus, ifpQq and p |= safety (B), then Af (/?) E Af (<?) and 

Af (p) |= safety{b). Hence Af (?) |= safety{b), soq\= safety (B). □ 

Being locked (see Definition |2) is a safely property, namely with B the set of all sequences over A* 
of length 1 . It can be understood this way by regarding any occurrence of an action as bad. 

Theorem 2 A precongruence for abstraction that respects the property of being locked, respects the 
canonical safety property. 

Proof: Let C be a precongruence for abstraction that respects the property of being locked, and sup- 
pose that p H. q. Let I := A\ {b}. Then Tj is an operator that renames all actions other than b into t; 
thus if a process of the form %i{r) ever performs a visible action, it must be b. Now p \= safety (b) <=> 
T/(p) |= safety(b) 44> Tj(p) is locked =>• Ti{q) is locked 4=> Tj(q) \= safetyib) 44> q \= safety (b). □ 

By combining Theorems Q] and [2] one obtains: 

Corollary 1 A precongruence for abstraction and for the state operator that respects the property of 
being locked, respects all safety properties. 

Theorem 3 Any precongruence for that respects a single nontrivial safety property, respects every 
safety property. 

Proof: Let C be a precongruence for & that respects safety (B), where B C A*, 6^0 and e B. Let 
G £A* and a € A be such that oa € B, and no prefix p < a of a is in B. Let safety (a) be the canonical 
safety property, but with a playing the role of b. Naturally, Theorem Q] holds for this renamed canonical 
safety property as well. Hence it suffices to show that Q respects the property safety (a). Let I :=A\ {a}. 
Then T 7 is an operator that renames all actions other than a into t; thus if a process of the form r I (s) 
ever performs a visible action, it must be a. Let r a be a process with CT(r) = {a} and r aa be a process 
with CT(r) = {oa}. Then, for any choice of s G P, (T / (5)|| r ff )|| A r (Ta is a process all of whose traces 
are prefixes of oa, with oa G ptraces((T I (s)\\ 9 r (J )\\ A r ( j a ) iff a G ptraces{Xj{s)), which is the case iff 
s ^ safety(a). Suppose pQq. Then (T 7 (»|| r ff )|| A r ffa Q {Tj{q)%r a )\\ A r aa and 

p \= safetyia) <=> (T 7 (/?)|| 8 r ff )|| A r ffa |= safety (B) => (T 7 (g)|| r CT )|| A r <Tfl |= safety (B) <^q^ safety (a). □ 

Let Esofefy denote the preorder that is fully abstract w.r.t. the class of safety properties and &. The 
following, well-known, theorem characterises this preorder as reverse partial trace inclusion. 

Theorem 4 p ^ sa fety q -& ptraces(p) D ptraces(q). 

Proof: Define reverse partial trace inclusion, C" 1 , by p C^ 1 q iff ptraces(p) D ptraces(q). 
"<^=": It suffices to establish that C^ 1 is a precongruence for G that respects all safety properties. 
That Qj 1 is a precongruence for G follows immediately from the following observations: 

ptraces(p\\ s q) = {o G vj| s <^ | V £ptraces(p) A<§ £ptraces(q)} 
ptraces{Xj{p)) = {t 7 (ct) | o G ptraces(p)} 
ptraces(X™(p)) = {A s m (a) | O Gptraces(p)}. 
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Here v |L£ denotes the set of sequences of actions for which is it possible to mark each action occurrence 

as left, right or both, obeying the restriction that an occurrence of action a is marked both left and right 

iff a G S, such that the subsequence of all /e/f-labelled action occurrences is v and the subsequence of 

all right-labelled action occurrences is <§ . Furthermore, the operators T 7 and A™ on A* are uniquely 

determined by 

, . , N J t 7 (ct) ifae/ 

Tr(e) = £ T,(aa) = <^ , <. 

1 ' [ ct 7 (<t) otherwise 

Af (e) = £ Af (ad) = a{m,s)X™ {ma) {c). 

To show that C^ 1 respects all safety properties, let B C A*, /? C^ 1 g, and suppose /? |= safety (B). 
Then ptraces{q) C ptraces(p) and ptraces(p) (IB = 0. Thus ptraces{q) C\B = 0, i.e. g (= safety(B), 
which had to be shown. 

"=£*": Let C be any precongruence for ^ that respects all safety properties, and suppose /? C (7. 
I have to establish that /? C^ 1 g. Let B := A* \ptraces(p). Then p |= safety (B). Thus g |= safety(B), i.e. 
ptraces{q) n (A* \ptraces(p)) = 0. This yields ptraces(q) C ptraces(p). □ 

The above characterisation as reverse partial trace inclusion of the coarsest congruence for ^ that respects 
all safety properties, is rather robust under the choice of 0, It holds already for the empty class of 
operators, and it remains true when adding in all operators of CSP [4], CCS [12] or ACP T [3], as Qj. 1 is 
known to be a precongruence for all of them. 

By Theorem[3l the characterisation also remains valid when requiring respect for one arbitrary safety 
property only, instead of all of them, but to this end all three operators of £? are needed. If we just retain 
the state operator, by Theorem Q] it suffices to require respect for the canonical safety property only. 

4 Liveness Properties 

A liveness property (9) is a property that says that 

something good will eventually happen. 

To formulate a canonical liveness property, assume that the alphabet A contains one specific action g, 
whose occurrence is good. The canonical liveness property now says that g will eventually happen. 

Definition 6 A process p satisfies the canonical liveness property, notation p \= liveness (g), if every 
complete trace of p contains the action g. 

To arrive at a general concept of liveness property for labelled transition systems, assume that some 
notion of good is defined. Now, to judge whether a process p satisfies this liveness property, one should 
judge whether p can reach a state in which one would say that something good had happened. But 
all observable behaviour of p that is recorded in a labelled transition system until one comes to such 
a verdict, is the sequence of visible actions performed until that point. Thus the liveness property is 
completely determined by the set sequences of visible actions that, when performed by p, lead to such 
a judgement. Therefore one can just as well define the concept of a liveness property in terms of such a 
set. 

Definition 7 A liveness property of processes in an LTS is given by a set G C A*. A process p satisfies 
this liveness property, notation p \= liveness(G), when each complete trace of p has a prefix in G. 

This formalisation of liveness properties is essentially different from the one in (9l and most subsequent 
work on liveness properties; this point is discussed in Section[6] 

Just as for safety properties, the set G := and all sets G with e S G specify trivial liveness properties. 
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Theorem 5 A precongruence for the state operator respects every liveness property iff it respects the 
canonical liveness property. 

Proof: Just like the proof of Theorem [T] □ 

A process p has the initial progress property if it cannot immediately diverge or deadlock, i.e. if 
£ <£ divergences (p) U deadlocks (p) . This is a liveness property, namely with G the set of all sequences 
over A* of length 1 . It can be understood this way by regarding any occurrence of an action as good. 

Theorem 6 A precongruence for abstraction that respects the initial progress property, respects the 
canonical liveness property. 

Proof: Just like the proof of Theorem [2] □ 

By combining Theorems [5] and [6] one obtains: 

Corollary 2 A precongruence for abstraction and for the state operator that respects the initial progress 
property, respects all liveness properties. 

Conjecture 1 Any precongruence for & that respects a single nontrivial liveness property, respects every 
liveness property. 

Let ^u ve ness denote the preorder that is fully abstract w.r.t. the class of liveness properties and G. I will 
proceed to characterise Qu ve ness as the preorder Qp DI based on failures, divergences and infinite traces 
that is also used in the work on CSP [15]. Failures of a process p are defined below; they are pairs (cr,X) 
such that p can perform the sequence of visible actions a and then reach a state in which no further 
progress can be made in case the environment allows only those visible actions to occur that are listed 
in X. The preorder Qf? D1 does not take into account any information about the behaviour of processes 
that can be thought of as taking place after a divergence. One of the ways to erase this information from 
the set of failures, divergences and infinite traces of a process is by means of flooding. Flooded sets of 
failures, divergences and infinite traces are indicated by the subscript j_. 

Definition 8 Let p € P. 

• initials(p) := {a £ A z \ 3q. p — > q). 

• failures(p) := {(a,X) G A* x 0>(A) | 3q. p =^> q A initials{q) n (X U {t}) = 0}. 

• divergences j_(p) := {op \ O € divergences (p) f\p € A*}. 

• inf ± (p) := inf(p) U {op \ O € divergences (p) Ap € A°°}. 

• failures L {p) := failures (p) U{{op,X) \ a € divergences (p) A p € A* AX C A}. 

So deadlocks(p) = {a|(a,A} Efailures(p)} and ptraces(p) = divergences (p) U {a|(a,0) Gfailures(p)}. 

Theorem 7 pQuvenessI ^ divergences ± (p) D divergences ^(q) A 

inf±(p) 5 «/!(#) A 
failures ^(p) 5 failures ±fq) . 

Proof: Let Qp DI be the preorder defined by: p Qp DI q iff the right-hand side of Theorem [7] holds. 
"<^": It suffices to establish that Qp DI is a liveness respecting precongruence. 

To show that Qp DI respects liveness, let G C A*, p Qf? D i 1, and suppose p \= liveness(G). I need 
to show that q \= liveness(G). So suppose a € CT{q). Then one out of three possibilities must apply: 
either a G divergences (g) C divergences ^(g) C divergences ^{p) or a £ inf{q) C inf^q) C inf ± (p) or 
(o,A) £failures(q) C failures ^(q) C failures j_(q) . In the first case p € divergences (p) C CT(p) for some 
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p < a; in the second case either a G inf(p) C CT(p) or p G divergences (p) C CT(p) for some p < a; 
and in the third case either (<7,A) Gfailures(p) or p G divergences (p) C CT(p) for some p < a. In all 
three cases p G CT(p) for some p < a. Since p |= liveness(G), there must be a v < p with v 6 G. As 
V < a it follows that 17 |= liveness (G). 

That E^x,/ is a precongruence for || s and T 7 has been established in IPT31 by means of the following 
observations: 

divergences L (p\\ s q) = {op \ 3(v,X) ^ failures ^fp)^ G divergences ^{q). a G v\\ s E, Ap GA*}U 

{op I 3v G divergences \{p), (£,X) ^ failures ^{q) . O G v|| s £ Ap G A*} 
infAp\\s<l) = {^ I 3v G inf ± (p),% G inf ± (q). o G v||«^}U 

{a I 3(v,X) £failures ± (p),t; G inf ± (q). a G v|| s £}U 
{a I 3v G inf±(p),(^,X) G failures ± (q) . O G v|| s i§}U 
{ap J a G <#vergencey_|_(p|| s #) Ap G A°°} 
/aj/«re^(/?|| 5 ^) = {(ff,lUF) | 3(v,X) Efailures±(p) , (<§ ,F) G failures 1 (</■)• 

X\S = F\SAaGv|| 5 £} 
U{(a,X) I a G<#vergences_|_(/7|| s <7) AX CA}. 
divergences^ (t 7 (p) ) = { T 7 (a)p |t 7 (a), pGA*AaG z>z/l (p ) U divergences^ (p) } 

irf±hi(p)) = { T /( a ) I T /( a ) e A 00 A a g i/tfKp)} 

U {ap I a G divergences _l(t 7 (/?)) Ap G A 00 } 
failures x (%(/?)) = {(^/(^X) I (a,XU7) £failures ± (p)} 

U {(a,X) I a G divergences ±{ / c I (p)) AX CA}. 

Here T 7 (a) for a G A" is the supremum, w.r.t. the prefix order < on A ro , of the set {T 7 (p) | p < a}. 
Likewise, Qf? DI is a congruence for Xf: 

divergences ±(X™ (p)) = {Xf{a)p \ O G divergences ± (p) A p G A*} 

inf x (X?(p)) = {Af (a) \oeinf ± (p)}u{op \ a G divergences \{Xf{p)) A p £A°°} 
failures ± (X?(p)) = {(Af(a),X) | (a,A,r m (X)) e failures ± {p)} 

U {(a,X) [ a G divergences i(Af(p)) AX C A}. 

Here V"( x ) := {« G A | c(m, j) G X}. 

"=>■": Let C be any liveness respecting precongruence, and suppose p Qq. \ have to establish that 
P ^fdi Q- W.l.o.g. I may assume that neither p nor q has any trace containing the action g. For let 
X m be an injective renaming operator such that g is not in the image of X m . Then X m (p) C X m (q). 
Suppose one can establish X"'(p) Qp D j A m (#). Since Qp D i * s a precongruence for renaming, this yields 
P^ D1 X- m {X m (p))^ D1 X- m {X m {p))^ D1 q. 

Suppose divergences ^(p) 2 divergences ±(q)', say a G divergences ±(q) \divergences^{p). So there 
is no p < a with p G divergences (p). Let r be a deterministic process such that CT{r) = {pg | p < a}. 
Then each complete trace of p\\ g r contains g. Here I write \\ 8 for || A > r -,, the interleaving operator that 
synchronises on all visible actions except g. As C is a precongruence, p E g implies p\\ 8 r C #||*r, and 
since C respects the canonical liveness property, I obtain that each complete trace of q\\ g r must contain 
g. However, p G divergences (q) for some p < a. So p G CT(q\\ g r), although p does not contain g. 

Suppose inf ± (p) 2 inf±(<l)l say a G inf ± (q) \inf ± (p). So a inf(p) and there is no p < a with 
p G divergences {p). Let r be a deterministic process such that CT{r) = {pg | p < a} U {a}. Then 
each complete trace of p\\ 8 r contains g. As C is a precongruence, p C g implies p|| g r C g|| g r, and since 
C respects the canonical liveness property, I obtain that each complete trace of q\\ 8 r must contain g. 
However, either a G inf{q) or p G divergences (q) for some p < a. So either a G Cr(#|| s r) or p G 
CT(q\\ g r), and neither a nor p contains g. 
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Suppose failure 'Sj_(p) ^failures L {q); say (d,X) £failures ± (q)\failures ± (p). So {o,X} ^.failures(p) 
and there is no p < a with p € divergences (p). Let r be a deterministic process with CT(r) = {pg | p < 
a} U {da | a G X}, and consider the liveness property given by G := {pg \ p < a} U {aa | a G X}. 
Then /?|| g r |= liveness{G). As C is a precongruence, p C q implies p\\ g r C gpr, and since C respects 
liveness properties, also q\\ s r \= liveness{G). However, either (o,X) £failures(q) or there is an p < a 
with p G divergences (q). So either a G C7 T (g|| g r) or p G CT(q\\ g r) for some p < a, contradicting that 
gll^r \= liveness(G). □ 

The standard refinement preorder used in CSP is in fact the failures-divergences preorder Qfd, defined 
exactly like ^p DI , but abstracting from the infinite traces. As remarked in [15], this can be done be- 
cause in CSP one normally restricts attention to processes p with the property that for any a G A* either 
a G divergences^ (p) or there are only finitely many processes q with p =^> q. For such processes the set 
inf ± (p) is, with Konigs Lemma, completely determined by failures \(p) and divergences \{p), and thus 
need not be explicitly recorded. When extending CSP to processes not having this property, the compo- 
nent inf ± should be added to the semantics of processes |H51 . In fact, Qp DI is the coarsest precongruence 
for & contained in Qfd- if P, q and r are the processes used in the inf ± -case of the above proof, and 
/ := A\{g}, then e G divergences j_(?i(q\\ 8 r)) \divergences^(Tj(p\\ 8 r)). 

The above characterisation as Qf DI of the coarsest congruence for that respects all liveness prop- 
erties, is somewhat robust under the choice of 0. It holds already with just || s and injective renaming 
(for these are the only two operators that are used in the proof), and it remains true when adding in all 
operators of CSP [4], as E^d/ ^ s kn° wn to be a precongruence for all of them lfl5l . 

By Corollary |2 the above characterisation also remains valid when requiring respect for the initial 
progress property only, but to this end all three operators of 6 are needed. This result has in essence 
been obtained already by Bill Roscoe in ifTSl . The state operator does not feature in ifTSI : its role in this 
full abstraction result is taken over by a renaming operator that allows renaming an action a into a choice 
between two actions b and c. When ignoring this difference in syntax, Theorem [7] can be obtained as an 
immediate corollary of Corollary [2] and that result. The main reason for using the above proof instead is 
to show that the concealment or abstraction operator is not needed here. 

By Theorem |5l Qp D i is even Mly abstract w.r.t. the partially synchronous interleaving and state 
operators, and the canonical liveness property. This result, like the full abstraction result of [15], does 
not hold without the state operator, or something equally powerful, even if renaming and abstraction is 
allowed to be used. Namely, as pointed out by Antti Puhakka |[T3l . one would fail to distinguish the 
following two processes: 

> aS J -- > 




a a / \ / a a 
® »-0 KL J Wliveness & K3 





5 Conditional Liveness Properties 

Figured] presents two processes that have the same liveness properties in any CSP-context. The fact that 
only the left-hand process can do something good doesn't matter here, as neither of the two processes is 




-^-K) g » Q =liveness ( J§> ° » Q 




Figure 1 : Two processes with the same liveness properties but different conditional liveness properties 
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guaranteed to do something good: they may never proceed beyond their initial T-loops. Nevertheless, 
from a practical point of view, the difference between these two processes may be enormous. It could 
be that the action c comes with a huge cost, that is only worth making when something good happens 
afterwards. Only the right-hand side process is able to incur the cost without any benefits, and for this 
reason it lacks an important property that the left-hand process has. I call such properties conditional 
liveness properties |f6lfTT|. A conditional liveness property is a property that says that 

under certain conditions something good will eventually happen. 
To formulate a canonical conditional liveness property, assume that the alphabet A contains two specific 
action c and g, where the occurrence of c is the condition, and the occurrence of g is good. The canonical 
conditional liveness property now says that if c occurs then g will eventually happen. 
Definition 9 A process p satisfies the canonical conditional liveness property, notation p \= liveness c (g), 
if every complete trace of p that contains the action c also contains the action g. 

To arrive at a general concept of conditional liveness property for labelled transition systems, assume 
that some condition, and some notion of good is defined. Now, to judge whether a process p satisfies 
this conditional liveness property, one should judge first of all in which states the condition is fulfilled. 
All observable behaviour of p that is recorded in a labelled transition system until one comes to such a 
verdict, is the sequence of visible actions performed until that point. Thus the condition is completely 
determined by the set sequences of visible actions that, when performed by p, lead to such a judgement. 
Next one should judge whether p can reach a state in which one would say that something good had 
happened. Again, this judgement can be expressed in terms of the sequences of visible actions that lead 
to such a state. 

Definition 10 A conditional liveness property of processes in an LTS is given by two sets C,GC A*. 
A process p satisfies this conditional liveness property, notation p \= livenessc{G), when each complete 
trace of p that has a prefix in C, also has prefix in G. 

For the sake of added generality, one could make the notion of success dependent on the particular 
sequence of actions that fulfilled the condition. This would make G a function from C to £P(A*) and 
the requirement would be that each complete trace of p that has a prefix a € C, also has prefix in G(a). 
However, such a generalised conditional liveness property can be expressed as a conjunction of standard 
ones, and a preorder that respects a given collection of properties also respects their conjunction. 

Theorem 8 A precongruence for the state operator respects every conditional liveness property iff it 
respects the canonical conditional liveness property. 

Proof: "Only if" follows because the canonical conditional liveness property is in fact a conditional 
liveness property, namely the one with C being the set of those sequences that contain the action c, and 
G the set of those sequences that contain the action g. 

"If": Again I use a state operator that remembers exactly what sequence of actions has occurred so far. 
Thus the set of internal states of its interface specification m is A*, and a(m, a) := aa for all a € A* and 
a e A. Note that the properties livenessc{G) and liveness c \g{G) are satisfied by the same processes, so 
w.l.o.g. I may restrict attention to properties livenessc(G) with CP\G = 0. Given such a property, define 



a(m,a) 



if aa € C 
if aa G G 
otherwise. 



Then X'"(p) \= liveness c (g) iff p \= livenessc(G). Thus, if p C q and p \= livenessc{G), then X™(p) C 
X™{q) and Xf{p) \= liveness c {g). Hence X™(q) \= liveness c (g), so q \= livenessc{G). □ 
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An element a G divergences (p) U deadlocks (p) is called a deadlock/divergence trace of a process p. 
For any a G A*, not having a deadlock/divergence trace a is a conditional liveness property, namely with 
C := {a} and G := {oa\a £A}. Using similar techniques as for Corollary [TJ one can establish: 

Corollary 3 A precongruence for abstraction and for the state operator that respects the property of 
having no deadlock/divergence trace c, respects all liveness properties. 

Let IZcond. liveness denote the preorder that is fully abstract w.r.t. the class of conditional liveness proper- 
ties and &. Furthermore, write Q d / d for the coarsest precongruence for 6 such that q Q d i d p implies 
deadlocks(q) U divergences {q) C deadlocks(p) U divergences (p). 

Corollary 4 p Q cond , Uveness q iff q \Z d/d p. 

Proof: "If" follows immediately from Corollary [3] "Only if" follows from the observation that the 
absence of any deadlock/divergence trace a is a conditional liveness property. □ 

Antti Puhakka [13] has given a characterisation of the coarsest congruence that preserves deadlock/ 
divergence traces, = d / d . His arguments easily extend to a characterisation of Q d / d and hence, using 
Corollary HI of Q con d. liveness- Below I will give a direct proof of the same result. It shows that this 
characterisation is already valid when merely requiring the precongruence property for \\$ and injective 
renaming. 

As for Qih>eness, the characterisation of Q con d. liveness is in terms of failures, divergences and infinite 
traces, and again some information needs to be erased, but less than in the case of Qu ven ess- This time 
we need to forget about failures (o,X) €failures(p) such that a G divergences (p), and about infinite 
traces of p that have arbitrary long prefixes in divergences (p). In [13] this is achieved by removal of 
such failures and infinite traces; here, in order to stress the similarity with the refinement preorder of 
CSP, I equivalently apply the method of flooding. 

Definition 11 Let p G F. 

• in fd(p) '■= i n f(p) U {o G A°° | Vp < a. 3v G divergences (p) . p < V < a}. 

• failures d (p) := failure s{p) U {(<7,X) | O G divergences (p) AX CA}. 

Theorem 9 p Q C ond. liveness 1 ^ divergences (p) 5 divergences (q) A 

inf d {p) 5 inf d (q)A 
failures d {p) D failure s d (cf) . 

Proof: Let Q d FDI be the preorder defined by: p Q d FDI q iff the right-hand side of Theorem [7] holds. 
"<^=": It suffices to establish that Q d FDI is a precongruence for that respects all conditional liveness 
properties. 

To show that Q FD1 respects conditional liveness properties, let C, G C A*, p Q FDI q, and suppose 
p \= livenessc{G). I need to show that q \= livenessc{G). So suppose a G CT{q) and p G C for some 
prefix p <G. Then one out of three possibilities must apply: either a G divergences (g) C divergences (p) 
or a G inf(q) C inf d (q) C inf d (p) or (cr,A) £failures(q) C failure s d (q) Cfailures d (p). In the first and 
last case, one has a G CT{p). Since p \= livenessc{G), there must be a E, < a with t, G G, which had to 
be shown. In the second case either a G inf(p) C CT(p), in which case the argument proceeds as above, 
or 3v G divergences (p) C CT(p) with p < v < G. In the latter case, there must be a B, < V with t, G G, 
and as £, < a it follows that q \= livenessc{G). 
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That E=p DI is a precongruence for \\ s , x l and Xf follows from the following observations: 

divergences (p\\ s q) = {a \ 3(v,X) £failures d (p),^ G divergences (q) . O G v|| s <^}U 

{<7 | 3v G divergences (p), (§,X) G failure 's d {q). O G vj| 5 <^} 
inf d {p\\ s q) = {0\3v£inf d (p),%£inf d (q).0£v\\ s Z}U 

{a | 3(v,X) efailures d (p),t; G inf d (q). O G v|| s £}U 
{a | 3v G inf d {p), {£,X) efailures d (q). a G v|| 5 |}U 
{a G A°° [ Vp < a. 3v G divergences (p\\ s q). p < V < a} 
failures d (p\\ s q) = {(a,XUY) \ 3(v,X) £failures d (p),(t;,Y) G failures d {q) . 

X\S = Y\SAG€ v|| s <§} 
U {(<7,X) | a G dz'w>rge7ices(/?|| s <7) AX C A}. 
divergences ( T 7 (/? ) ) = {T 7 (a)|T 7 (a)GA*AaG in£ (p ) U divergences (p)} 

infd(?i(p)) = K(a)|T 7 (a)GA°°AaG»2/ d (/?)} 

U {a G A°° | Vp < a. 3v G divergences (t 7 (/?)). p < V < a} 
failures d {Zj(p)) = {(t 7 (ct),X) | (a,XU/) G failures d (p)} 

U {(a,X) | a G divergences (Zj(p)) AX C A} 
divergences (X™ (p)) = {Xf(o) | a G divergences (p)} 
inf d (Kip)) = {K{o)\otinf d {p)} 

U {a G A°° | Vp < a. 3v G divergences {Xf(p)). p <v <a} 
failures d {Xr(p)) = {<A, m (a),X> | (a,A s r m (X)) Efailures d (p)} 

U{(a,X) | a G divergences {Xf{p)) AX C A}. 

"=>": Let E be any precongruence for ^ that respects conditional liveness properties, and suppose 
p Q q. I have to establish that p Q FD1 q. W.l.o.g. I may assume that neither p nor q has any trace 
containing the actions c or g. The argument for this is as in the proof of Theorem |7J 

Suppose divergences \p) J$ divergences (q); say a G divergences (q) \ divergences (p). Let r be a 
deterministic process such that CT(r) = {acg}. Then each complete trace of p\\ c ' g r that contains c 
also contains g. Here I write \\ c,g for || A > , ,, the interleaving operator that synchronises on all visible 
actions except c and g. As C is a precongruence, pQq implies p\\ c,g r C q\\ c,g r, and since C respects the 
canonical conditional liveness property, I obtain that each complete trace of g|| c ' g r that contains c must 
also contain g. However, as a G divergences (q), ac G divergences (q\\ c,g r) C Cr(^|| cg r), although ffc 
does not contain g. 

Suppose inf d {p) 2 inf d (q); say a G inf d (q) \ inf d (p). So a g - inf(p) and there is a p < a such 
that p < pv < a for no sequence pv G divergences (p). Let r be a deterministic process such that 
CT(r) = {pcvg | pv < a} U {a}. Then each complete trace of p\\ g r that contains c, must also contain g. 
As IZ is a precongruence, p C q implies p\\ c - g r C g|| g,c r, and since C respects the canonical conditional 
liveness property, I obtain that each complete trace of q\\ c,g r that contains c must also contain g. However, 
either a G inf(q) or pv G divergences (q) for some p < p v < G. In each case g|| c,g r has a complete trace 
that contains c but not g. 

Suppose. failures d (p) 2 failure "s d (q); say (cr,X) £failures d (q)\failures d (p). So (<T,X) ^failures(p) 
and a divergences (p). Let r be a deterministic process with CT(r) = {oca \ a G X}, let C be the set 
of sequences containing c, and consider the conditional liveness property given by C and G := {oca \ 
a G X}. Then p\\ c r \= livenessc(G). As C is a precongruence, p Qq implies p\\ c r C g|| c r, and since C 
respects conditional liveness properties, also q\\ g r \= livenessc{G). However, either (d,X) £failures{q) 
or (7 G divergences (q). So ac G Cr(^r|| g r), contradicting that q\\ c r \= livenessc{G). □ 

In Ifl4l . Bill Roscoe has shown that Qp DI is a precongruence for all operators of CSP; he also developed 
a new fixed point theory that shows that it is a congruence for recursion as well. 
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6 Linear Time Properties 

Safety, liveness, and conditional liveness properties, as studied in the previous sections, are special cases 
of linear time properties. A linear time property can be thought of as any requirement on the observable 
content of the runs of a process. The property is satisfied by a process when the observable content of all 
its maximal runs satisfy this requirement. Hence a linear time property can be formalised by the set of 
sequences over A m that, when performed in a maximal run of a process, meet the requirement. 

Definition 12 A linear time property of processes in an LTS is given by a set P C A m . A process p 
satisfies this property, notation p \= P, when CT(p) C P. 

A safety property is a special kind of linear time property, namely safety(B) = {a £A a | -dp G5. p < a}. 
Likewise, liveness(G) = {a G A m | 3p G G. p < a}, and 
livenessc(G) = {a G A a | (3p G C. p < a) => (3v GG.v< a)}. 

In [9'] and most subsequent work, liveness properties are formalised in a different way than in this 
paper. For the canonical liveness property it is fundamentally impossible to ever tell that it is not going to 
be satisfied when one has only observed a finite prefix of a maximal run of a process. For if "something 
good" is promised to happen, it is always possible to assume it will be further in the future. In Q, this is 
taken to be the defining characteristic of liveness properties, and a property P is called a liveness property 
iffVp€A*.3aeP.p<a. 

The property liveness(G) with G = {a} for instance says that the first visible action of a process 
should be an a. It is a liveness property in my sense, since the first action being an a can be thought of as 
a good thing that happened eventually; here the requirement that it has to happen as first action could be 
part of one's concept of good. However, it is not a liveness property as formalised in [9] and subsequent 
work, since the occurrence of a b / a as first action proves that the property will never be satisfied. 

The property that from some point onwards all visible actions a process performs should be g's, is an 
example of a liveness property in the sense of [9] that is not a liveness property in my sense. Namely, at 
no point can one ever tell that something good has happened. 

A well know theorem @ says that any linear time property P can be written as the conjunction 
safety (B) H Pn veness of a safety property and a liveness property in the sense of (9). Namely, 

B := {p G A* \-Bo € P. p < a} and P Uveness := P U (A a \ safety(B)). 

Such a theorem does not hold for my liveness properties. 

My characterisation of fineness would still be valid if I would have taken as class of liveness prop- 
erties the intersection of mine and the ones from [9[. This follows immediately from Theorem [5J as the 
canonical liveness property is in this intersection. So the extra generality in my definition is harmless. 
However, the extra restriction makes a difference, as the canonical conditional liveness property, for 
instance, is a liveness property in the sense of [9]. 

Liveness properties in the sense of [9] are studied because proving them requires a different tool set 
than proving safety properties. However, as far as practical applications are concerned, one is mostly 
interested in conjunctions of safety and liveness properties, i.e. general linear time properties. I will 
therefore not try to characterise coarsest congruences that respect just the liveness properties in the sense 

of a. 

The coarsest congruence respecting all linear time properties has been characterised as NDFD- 
equivalence by Roope Kaivola and Antti Valmari in [ 8 ] ; this results extends to preorders in a straight- 
forward way. The NDFD preorder can be defined just like Ejtd/i except that inf(_) is used instead of 
inf ± (_). In fact, this result can also be obtained as corollary of what we have seen so far. 
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Theorem 10 p Qit- pr0 perties Q "^ divergences (p) D divergences (q) A 

inf(p) D inf(q)A 
failures d (p) 2 failure s d {q). 

Proof: Let Qndfd be the preorder defined by: p ^ndfd q iff the right-hand side of Theorem [lOl holds . 
"<^=": It suffices to establish that ^Zndfd is a precongruence for & that respects all linear time properties. 

To show that Qndfd respects linear time properties, let P C A w , p ^ndfd 1, and suppose p \= P. I 
need to show that q \= P. So suppose a G CT(q). Then either a G divergences (g) C divergences (p) or 
a € inf(q) C inf{q) or (<7,A) £failures(q) C failure 's d (q) Cfailures d (p). In the last case, one has either 
(a, A) efailures(p) or a G divergences (p) . So in all cases a € CT(p). Since /? |= P, it must be that 
a € P. It follows that CP(<?) C P, i.e. <? |= P. 

That E^ D7 is a precongruence for || 5 , T 7 and A s m follows from similar, but simpler, observations as in 
the proof of Theorem [9] 

"=£*": Let C be any precongruence for 0" that respects linear time properties, and suppose p Q q. I 
have to establish that p Qndfd Q- That divergences (p) 5 divergences (q) and failures d {p) D failures d (q) 
follows immediately from Theorem |9l using that conditional liveness properties are linear time proper- 
ties. That inf(p) 5 inf(q) follows immediately by considering the linear time property CT(p). □ 

To obtain this result it suffices to define [^it-properties as the coarsest precongruence w.r.t. \\$ and injective 
renaming that respects all linear time properties. However, it happens to also be a precongruence for all 
operators of CSP. 

Linear time properties do not capture the entire observable behaviour or processes in the neutral 
environment. Orthogonal to them are possibility properties, such as: a process may do an action g. As 
argued by Leslie Lamport, "verifying possibility properties tells you nothing interesting about a system" 
ifTOl . Nevertheless, it is not hard to characterise the coarsest precongruence for & that respects linear 
time properties as well as all possibility properties, and thereby arguably the entire observable behaviour 
of a processes in a neutral environment. It is =ndfd, the symmetric closure of Qndfd- 

7 Concluding remark 

The methodology of the paper is close in spirit to the work on testing equivalences by Rocco De Nicola 
and Matthew Hennessy [5], and the results in Sections [3] and @] are comparable as well. The notion of 
must testing of [ 5 ] could be reinterpreted as a way to test liveness properties, and hence, unsurprisingly, 
my preorder C/ rve „ eii . is exactly the must-testing preorder of [5]. However, my safety preorder is exactly 
the inverse of the may testing preorder of [5]. This can be explained by thinking, in the context of may 
testing, of the "success"-action ft) as marking a state of failure, rather than one of success. Now the 
property of whether a process may reach ft) is exactly the negation of whether it will always avoid ft). 
This turns may-testing around, from testing certain possibility properties, to testing safety properties. It 
remains to elaborate a theory of testing that captures the concept of conditional liveness. 
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